NIS2 Approved by the Portuguese Parliament

Portugal Approves NIS2 Transposition: A New Chapter in National Cybersecurity

On Friday, September 19, the Portuguese Parliament approved the bill that transposes the European NIS2 Directive into national law, marking a decisive step in modernizing the country’s cybersecurity framework.

The NIS2 Directive — officially Directive (EU) 2022/2555 — aims to ensure a high common level of cybersecurity across the European Union. In Portugal, its transposition establishes a new legal regime requiring public and private entities in critical sectors (such as energy, health, transport, digital services, and public administration) to implement strict risk management and incident response measures. After the law is published in the "Diário da República", an electronic platform will be launched where covered entities must register within 60 days. Over the following 24 months, they must adopt all necessary measures to comply with the new legal requirements.

Key obligations include:

• Enhanced cybersecurity risk management;
• Robust internal policies and procedures;
• Incident reporting and communication with authorities;
• Audits and ongoing training;
• The National Cybersecurity Center (CNCS) will have new powers and will be responsible for supervising, training, and supporting entities in implementing the required measures;
• Penalties for non-compliance can reach up to €10 million or 2% of annual turnover, whichever is higher.

With this legislative approval, Portugal joins other EU Member States that have already advanced with NIS2 implementation. The expectation is that this new legislation will strengthen the country’s digital resilience and foster a more robust and pervasive security culture.

How Crowe Supports

•  NIS2 Assessment: Rapid mapping to frameworks (QNRCS, Roadmap, ISO/IEC, NIST), gap identification, quick-wins, risk and priority heatmaps by service (including third-party dependencies);
• Compliance and Governance: Policies, processes, and procedures; ICT and third-party risk management; evidence models for audits; continuity/DR plans by service; tabletop exercises for management focused on ransomware and operational shutdowns;
• Technical Resilience and Continuous Operation: Vulnerability management, penetration testing, hardening, incident management, and targeted training/awareness for teams (operations, maintenance, IT/OT, compliance);
• “As-a-Service” Model (aaService): To address the most cited challenge—resource scarcity—we offer ongoing support with predictable monthly costs, acting as an extension of your team and accelerating evidence production.

Conclusion
NIS2 is an opportunity to raise the digital maturity of the sector, enabling organizations to gain a competitive edge and strengthen the trust of clients and partners. With a pragmatic approach, focus on material risks, and integration with recognized frameworks, compliance and resilience are achievable.

Next Steps
Would you like an NIS2 assessment with quick-wins in just a few weeks? Need team reinforcement for governance, evidence, or third-party management? Contact us. Crowe Portugal supports you from assessment to continuous operation (aaService).